funsec mailing list archives
Re: Consumer Reports Slammed for Creating 'Test' Viruses
From: Peter Kosinar <goober () nuf ksp sk>
Date: Sun, 20 Aug 2006 03:24:46 +0200 (CEST)
Why don't people think that dentists cause cavities and surgeons cause hernias?
Maybe because the dentists and surgeons don't make you visit them every day, just to perform some update of their work? ;-)
Blue Boar is right in assuming that AVs rely on updates (the distinction between the "scanning engine", "signatures", and other parts of the AV is disappearing over the time).It disappeared in 1991.
It might just be a matter of wording but my opinion is different. In my view, scanning engine is the code which is directly executed on the processor. Signatures are the (in most cases short) pieces of data which are used by the engine to determine if the file is infected or not.
Here is my view of the history; I may be wrong:In the -very- beginning, there were a few really simple viruses. The antivirus essentially consisted of a piece of code which read the file (or boot sector or MBR or whatever it was scanning) and a set of strings which the code attempted to locate in the file directly -- i.e. akin to strstr() function. The code was called "scanning engine", the strings were "signatures".
This separation of engine and signatures allowed the AVers to react to new malware with very little effort -- a new virus? Bang, we'll just pick 10 bytes long signature from its destructive payload and we're done! Great!
Somewhat later, encrypted viruses started to appear (still, in very small numbers). As they were encrypted differently in each infected file, it was no longer possible to pick a signature for them (to be exact, you could pick a signature from the decryptor, as it used to be quite static at first). So, one had to write a specific detection routine (=code) for this particular virus. And then for another one. And another one... As the number of encrypted viruses increased, this process was more and more tedious.
In other words, the engine was growing too fat, while the old-style signatures were no longer very useful. Thus, the obvious trick was to add some decryption-like abilities to the engine, which would first decrypt the actual body of the virus and only then run it through the signatures.
Once again, dealing with new viruses was simple -- just a matter of adding a signature. Again, these signatures were not executable code, they were just bunches of bytes that were matched against the data provided by the engine. However, the data was no longer the raw data obtained from the file/boot sector -- it was preprocessed by the engine.
And so the saga continued... When a new anti-anti-virus technology appeared in one sample virus, it was easier to consider it a special case (i.e. add a specific detection code just for it). If it started to be used more often, it was more reasonable to create some shortcut for creating new detections -- i.e. add some kind of new "signatures" for particular type of technology or some kind of workaround which re-enabled the older kind of signatures to be used.
In modern AVs, the "signatures" can be almost anything -- ranging from the basic "substrings" described above, through expert-system-like conditions like: "If the program contains this, this and this at most that far from the first occurance of this, then it is Bagle" to small programs written in a meta-language interpreted by the AV on-the-fly.
In general, the detection of known malware by name is almost always based on some kind of "signatures", whereas the proactive detection (i.e. attempts to detect as-of-yet unknown malware) is based on heuristical methods. However, nothing prevents signatures to be used in proactive detection as well -- one might, for example, perform some kind of fuzzy-matching of the signature and the actual code...
Needless to say that the bad guys are always going to be one step ahead, for they can tune their piece of code until -no- available antivirus (and practically usable <- to rule out products which flag everything as being malicious ;-) ) detects it. Then, the quality of the engines and signatures determines how long will it take the particular AV to add a detection for it.
Peter -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Consumer Reports Slammed for Creating 'Test' Viruses Alex Eckelberry (Aug 19)
- RE: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Peter Kosinar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Peter Kosinar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 20)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- RE: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Blue Boar (Aug 19)
- Re: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 20)
- RE: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)
- RE: Consumer Reports Slammed for Creating 'Test' Viruses security curmudgeon (Aug 19)
- RE: Consumer Reports Slammed for Creating 'Test' Viruses Drsolly (Aug 19)